virtualization

School of Computer & Information Sciences

ITS-532 Cloud Computing

Chapter 9 – Securing the Cloud

Learning Objectives

• List the security advantages of using a cloud- based provider.

• List the security disadvantages of using a cloud-based provider.

• Describe common security threats to cloud- based environments.

Physical Security • IT data centers have been secured physically to

prevent users who do not have a need to physically touch computers, servers, and storage devices from doing so.

• A general security rule is that if an individual can physically touch a device, the individual can more easily break into the device.

Advantages of Cloud Providers with Respect to Security

• Immediate deployment of software patches

• Extended human-relations reach

• Hardware and software redundancy

• Timeliness of incident response

• Specialists instead of personnel

Disadvantages of Cloud-Based Security

• Country or jurisdiction issues

• Multitenant risks

• Malicious insiders

• Vendor lock in

• Risk of the cloud-based provider failing

Confidentiality • Confidentiality is the characteristic of something being made accessible only to authorized parties.

Within the cloud, confidentiality must be maintained for data in transit and in storage.

Figure 6.1 The message issued by the cloud consumer to the cloud service is considered confidential only if it is not accessed or read by an unauthorized party.

Integrity • Integrity is the characteristic of not having data altered by an unauthorized party. Integrity extends

to how data is stored, processes, and transmitted.

Figure 6.2 The message issued by the cloud consumer to the cloud service is considered to have integrity if it has not been altered.

Basic Terms and Concepts • Authenticity – being provided by and authorized source • Availability – being available during a specified time period • Threat – a potential security violation that can challenge defenses • Vulnerability – a weakness that can be exploited • Risk – possibility of loss or harm from an activity • Security Controls – countermeasures us to prevent or respond to security

threats and to reduce or avoid risk • Security Mechanisms – components of a defensive framework that

protects IT resources, information, and services.

Security Risk – Flawed Implementation • Substandard design, implementation, or configuration of cloud services can have serious undesired

consequences runtime exceptions and failures.

Figure 6.15 Cloud Service Consumer A’s message triggers a configuration flaw in Cloud Service A, which in turn causes the virtual server that is also hosting Cloud Services B and C to crash.

Risk Management • To reduce risk in the Cloud, a formal

risk assessment should be performed as a cyclical process including risk assessment, risk treatment, and risk control.

Figure 6.16 The on-going risk management process, which can be initiated from any of the three stages.

Real World: McAfee Security as a Service

• McAfee now offers a range of security solutions that deploy from the cloud. The solutions protect e- mail (spam, phishing, redirection, and virus elimination), websites, desktop computers, mobile devices, and more.

Data Storage Wiping • Within a cloud-based disk storage facility, file wiping overwrites a file’s previous contents when the

file is deleted.

Denial of Service Attacks

• A denial-of-service attack is a hacker attack on a site, the goal of which is to consume system resources so that the resources cannot be used by the site’s users.

• The motivation for and the implementation of denial-of-service attacks differ.

Simple Denial of Service

:Loop

ping SomeSite.com

GOTO Loop

• While responding to the ping message, the server can handle fewer other requests

Distributed Denial of Service (DDOS) Attack

• A distributed denial-of-service (DDoS) attack uses multiple computers distributed across the Internet to attack a target site

Packet Sniffing Attacks • Network applications communicate by exchanging network packets. Each computer within a wired

network examines the message address to determine if the message is for an application it is running.

Packet Sniffing Continued • A hacker can write code that lets his system examine the content of each

packet that travels past it. • Within a wireless network, hackers can simply monitor the airways to

intercept packets. • The cloud, because it allows users to connect to applications from

anywhere, increases potential risks. Users may connect from an insecure network or a network in which the wireless traffic is being monitored.

• The best defense against a packet sniffing attack is to use secure (encrypted) connections.

Man-in-the-Middle Attack • Within a man-in-the-middle attack, a hacker intercepts the messages a user and system are

exchanging. The hacker can view and/or change the message contents.

Monitoring Device Screens • Years ago, when employees accessed sensitive or confidential data

only from within their office, the data was better physically protected from prying eyes.

• The cloud, however, extends the delivery of such data to users who are any place, at any time, and often to any device.

• The net result is that within a busy coffee shop or an airport, strangers can see data ranging from human-relations information or customer sales data to student grades, and more.

Malicious Employees • Companies spend considerable amounts of money

trying to protect their data and communications from hackers.

• IT staffs deploy firewalls, use encryption, monitor network traffic for intrusion, and much more. With all of these security features in place, the most difficult challenge for a company to defend itself against is a malicious employee.

Malicious Employees Continued • Developers, for example, have access to databases,

and IT staff members have access to various system passwords, which means that each may have access to human-relations data, payroll data, e- mail content, and so on.

• By shifting data to the cloud, you move sensitive data away from your own employees.

Hypervisor Attack • When you virtualize a server, each server operating

system runs on top of special virtualization software called the hypervisor.

• Hypervisor developers such as VMware and Microsoft constantly focus on ways to lock down and secure the hypervisor to reduce risks.

• The hypervisor will remain an attractive hacker target as companies continue to virtualize solutions.

Hypervisor Attack Continued • Hackers refer to the process of taking over the

hypervisor as a hyperjacking attack. • To reduce the chance of a hypervisor being taken over

by malicious code the underlying hardware may assign a state value, like a cyclic redundancy check (CRC), to the hypervisor. If this value changes, the hardware can detect that the hypervisor has been attacked or replaced.

Guest Hopping Attack • Hackers refer to an attack from one guest operating system to another as a guest hopping attack.

Real World: Cloud Security Alliance

• The Cloud Security Alliance is a not-for-profit organization, the goal of which is to promote education of cloud security issues.

• The Cloud Security Alliance consists of a large coalition of cloud practitioners, companies, associations, and other cloud stakeholders.

SQL Injection Attack

• Many web applications present forms that users must complete by filling in fields and then submitting the form contents for processing.

• The application that receives the form data often stores the data within an SQL database.

SQL Injection Attack Continued • An SQL-injection attack occurs when a malicious user inserts one

or more SQL queries within one or more of the fields. For example, rather than simply typing in his or her last name, the hacker might type the following: Smith; DROP DATABASE EMPLOYEES;

• Depending on how the database uses the user input, the processing may result in the execution of the injected SQL, which in this case would delete the database of the company’s employees.

SQL Injection Attacked Cont. • Many cloud-based software as a service (SaaS)

solutions are multitenant applications, which means different customers may share underlying resources such as a database.

• If the SaaS application falls victim to SQL injection, it might be possible for a user in one company to view, change, or destroy the data of another company.

Real World: ENISA

• The European Network and Information Security Agency (ENISA), based in Greece, promotes cybersecurity best practices. Within the ENISA website, you will find a broad range of papers and reports on a variety of security topics.

Improving Physical Security through Colocation

• By using colocated, replicated hardware and software, cloud solution providers reduce many threats to IT resources.

Key Terms

References

Primary:

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security

and more. Burlington, MA: Jones & Bartlett Learning.

Secondary:

Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper

Saddle River, NJ: Prentice Hall.